Merge pull request #1 from Armadillidiid/feat/improved-ssl-acquisitio…

…n-compose-setup Feat/improved ssl acquisition compose setup
Armadillidiid · Mar 17, 2024 · af61cee · af61cee
2 parents 50a3218 + fc9f446
commit af61cee
Show file tree

Hide file tree

Showing 8 changed files with 895 additions and 140 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -38,7 +38,8 @@ jobs:
           DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }}
         run: |
           docker compose build
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:app-$IMAGE_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:nginx-$IMAGE_TAG
 
       - name: Set Docker Pull Image Environment Variable
         run: echo "DOCKER_PULL_IMAGE=${{ steps.login-ecr.outputs.registry }}/${ECR_REPOSITORY}:${IMAGE_TAG}" >> $GITHUB_ENV
@@ -55,7 +56,13 @@ jobs:
           REMOTE_HOST: ${{ secrets.HOST_DNS }}
           REMOTE_USER: ${{ secrets.USERNAME }}
           TARGET: ${{ secrets.TARGET_DIR }}
-          SCRIPT_BEFORE: mkdir -p ${{ secrets.TARGET_DIR }}
+          SOURCE: "docker-compose.yaml"
+          SCRIPT_BEFORE: |
+            mkdir -p ${{ secrets.TARGET_DIR }}
+            if ! grep -q "source export-env" ~/.bash_profile; then
+                echo "source export-env" >> ~/.bash_profile
+            fi
+            touch export-env
           SCRIPT_AFTER: |
             aws ecr get-login-password --region "${{ secrets.AWS_REGION }}" | docker login --username AWS --password-stdin "${{ steps.login-ecr.outputs.registry }}"
 
@@ -70,14 +77,14 @@ jobs:
             echo 'export DJANGO_CSRF_TRUSTED_ORIGINS="${{ secrets.DJANGO_CSRF_TRUSTED_ORIGINS }}"' >> export-env
             echo 'export SERVER_NAME="${{ vars.SERVER_NAME }}"' >> export-env
             echo 'export CERTBOT_EMAIL="${{ secrets.CERTBOT_EMAIL }}"' >> export-env
-            echo 'export IS_SSL_ACQUIRED="${{ vars.IS_SSL_ACQUIRED }}"' >> export-env
-
-            echo 'export ECR_REGISTRY="${{ steps.login-ecr.outputs.registry }}"' > export-ecr
-            echo 'export ECR_REPOSITORY="${{ env.ECR_REPOSITORY }}"' >> export-ecr
-            echo 'export IMAGE_TAG="${{ env.IMAGE_TAG }}"' >> export-ecr
+            echo 'export ECR_REGISTRY="${{ steps.login-ecr.outputs.registry }}"' >> export-env
+            echo 'export ECR_REPOSITORY="${{ env.ECR_REPOSITORY }}"' >> export-env
+            echo 'export IMAGE_TAG="${{ env.IMAGE_TAG }}"' >> export-env
 
             source ~/.bash_profile
-            docker stop rumble
-            docker rm rumble
-            cd "${{ secrets.TARGET_DIR }}" && docker compose up -d
-            docker system prune -a
+            cd "${{ secrets.TARGET_DIR }}"
+            docker compose pull
+            docker compose down
+            docker compose up -d 
+            rm -f local_ssh_script-before-*.sh
+            docker system prune -af
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -5,7 +5,7 @@ services:
     build: .
     restart: always
     container_name: rumble
-    image: ${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}
+    image: ${ECR_REGISTRY}/${ECR_REPOSITORY}:app-${IMAGE_TAG:-latest}
     volumes:
       - static-data:/app/staticfiles
       - media-data:/app/media
@@ -44,37 +44,82 @@ services:
       timeout: 5s
       retries: 5
 
-  web-server:
+  nginx:
     build:
       context: ./nginx
       dockerfile: Dockerfile
-      args:
-        - IS_SSL_ACQUIRED=${IS_SSL_ACQUIRED}
+    image: ${ECR_REGISTRY}/${ECR_REPOSITORY}:nginx-${IMAGE_TAG:-latest}
     container_name: nginx
-    ports:
-      - "80:80"
-      - "443:443"
     environment:
       - APP_HOST=app
       - APP_PORT=8000
       - SERVER_NAME=${SERVER_NAME}
-      - CERTBOT_EMAIL=${CERTBOT_EMAIL}
+      - VIRTUAL_HOST=${SERVER_NAME},www.${SERVER_NAME}
+      - LETSENCRYPT_HOST=${SERVER_NAME}
     volumes:
       - static-data:/app/staticfiles
       - media-data:/app/media
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
+      - certs:/etc/nginx/certs
     depends_on:
       - app
+      - nginx-proxy
+      - nginx-proxy-gen
+      - nginx-proxy-acme
+
+  nginx-proxy-gen:
+    image: nginxproxy/docker-gen
+    container_name: nginx-proxy-gen
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - conf:/etc/nginx/conf.d
+      - vhost:/etc/nginx/vhost.d
+      - html:/usr/share/nginx/html
+      - certs:/etc/nginx/certs
+    command: >
+      sh -c "mkdir -p /etc/docker-gen/templates/ &&
+      wget -O /etc/docker-gen/templates/nginx.tmpl https://raw.githubusercontent.com/nginx-proxy/nginx-proxy/main/nginx.tmpl &&
+      docker-gen -notify-sighup nginx-proxy -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf"
+    restart: always
+
+  nginx-proxy:
+    image: nginx
+    container_name: nginx-proxy
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - conf:/etc/nginx/conf.d
+      - vhost:/etc/nginx/vhost.d
+      - html:/usr/share/nginx/html
+      - certs:/etc/nginx/certs
+    depends_on:
+      - nginx-proxy-gen
 
-  certbot:
-    image: certbot/certbot:v2.9.0
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 24h & wait $${!}; done;'"
+  nginx-proxy-acme:
+    image: nginxproxy/acme-companion
+    container_name: nginx-proxy-acme
     volumes:
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - acme:/etc/acme.sh
+      - conf:/etc/nginx/conf.d
+      - vhost:/etc/nginx/vhost.d
+      - html:/usr/share/nginx/html
+      - certs:/etc/nginx/certs
+    environment:
+      - NGINX_PROXY_CONTAINER=nginx-proxy
+      - NGINX_DOCKER_GEN_CONTAINER=nginx-proxy-gen
+      - DEFAULT_EMAIL=${CERTBOT_EMAIL}
+    depends_on:
+      - nginx-proxy
+      - nginx-proxy-gen
+    restart: always
 
 volumes:
   db-data:
   static-data:
   media-data:
+  conf:
+  vhost:
+  html:
+  certs:
+  acme:
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,31 +1,2 @@
 FROM nginx:1.25.4
-
-# Set the working directory
-WORKDIR /
-
-# Add cron job to reload nginx every 24 hours
-RUN echo "0 0 * * * root docker exec -it nginx nginx -s reload" > /etc/cron.d/nginx-job
-
-# Download extra SSL configuration files
-RUN curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > /options-ssl-nginx.conf && \
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > /ssl-dhparams.pem
-
-# Set the default environment variable
-ARG IS_SSL_ACQUIRED
-
-# Create a directory for template files
-RUN mkdir -p /etc/nginx/templates
-
-# Copy template file based on SSL certificate acquisition
 COPY ./default.conf.template /etc/nginx/templates/default.conf.template
-COPY ./default.staging.conf.template /etc/nginx/templates/default.staging.conf.template
-
-# Copy template file based on SSL certificate acquisition
-RUN if [ "$IS_SSL_ACQUIRED" = "true" ]; then \
-  rm /etc/nginx/templates/default.staging.conf.template; \
-  else \
-  rm /etc/nginx/templates/default.conf.template; \
-  fi
-
-# COPY proxy params
-COPY ./proxy_params /etc/nginx/proxy_params
diff --git a/nginx/default.conf.template b/nginx/default.conf.template
@@ -1,27 +1,15 @@
 server {
-  listen 80;
-  server_name ${SERVER_NAME};
+    listen 80;
+    server_name www.${SERVER_NAME};
 
-  location /.well-known/acme-challenge/ {
-    root /var/www/certbot;
-  }
-
-  location / {
-      return 301 https://$host$request_uri;
-  }
+    # Redirect www to non-www over HTTPS
+    return 301 https://${SERVER_NAME}$request_uri;
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 80;
     server_name ${SERVER_NAME};
 
-    ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
-
-    include /options-ssl-nginx.conf;
-    ssl_dhparam /ssl-dhparams.pem;
-
     location /static {
         alias /app/staticfiles/;
     }
@@ -31,7 +19,6 @@ server {
     }
 
     location / {
-      proxy_pass      http://${APP_HOST}:${APP_PORT};
-      include /etc/nginx/proxy_params;
+        proxy_pass http://${APP_HOST}:${APP_PORT};
     }
 }
diff --git a/nginx/default.staging.conf.template b/nginx/default.staging.conf.template